[1192] in WWW Security List Archive
Re: Netscape's little key icon
daemon@ATHENA.MIT.EDU (Albert Lunde)
Sat Nov 25 20:47:10 1995
To: seth@hygnet.com (Seth I. Rich)
Date: Sat, 25 Nov 1995 17:14:18 -0600 (CST)
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <199511251802.NAA15247@arkady.hygnet.com> from "Seth I. Rich" at Nov 25, 95 01:02:33 pm
Reply-To: Albert-Lunde@nwu.edu (Albert Lunde)
From: Albert-Lunde@nwu.edu (Albert Lunde)
Errors-To: owner-www-security@ns2.rutgers.edu
> Ok, perhaps this is a FAQ item, but I don't recall having read it
> anywhere. When I open up Netscape, which is admittedly infrequently, I
> see that little key icon in the bottom left corner of the screen. I'm
> told that when it's a solid key with teethies, that means you're talking
> to a "secure server" (if that phrase has any meaning outside of marketing
> materials).
>
> This is my question: How is that determined? If the browser is opened to
> URL A, how does the browser determine whether it's a "secure" thing? By
> looking at the server which houses that URL? By looking at the servers
> to which forms could potentially be submitted?
You might want to take a look at what Netscape says at:
http://home.mcom.com/info/security-doc.html
http://home.mcom.com/newsref/std/SSL.html
I think the most basic distinctions are made by looking at the URL schemes.
This is http: for ordinary HTTP, and https: for HTTP tunneled thru SSL
(I think this is conventionally assigned another port).
Once Netscape has connected to a secure server, will authenticate the
server further, cyptographically. In addition to the autheication
described in the SSL protocol, I seem to recall hearing that Netscape
was distributed with some hardcoded key info to allow it to recognize
some server key certificates in the absence of a better certificate
hierarchy. (But this was some months back and I'm not sure what is
currently the case.)
Judging from the messages and how they are described (i.e. "mixed secure/
insecure documents" it sounds like Netscape is making a first cut by
looking at the URLs in a document, then doing more when it contacts
the server.
--
Albert Lunde Albert-Lunde@nwu.edu
